Plateforme
nodejs
Composant
mongoose
Corrigé dans
6.13.6
7.8.4
8.9.5
8.9.5
CVE-2025-23061 is a critical vulnerability affecting Mongoose, a MongoDB driver for Node.js. This vulnerability stems from improper handling of the $where operator, allowing attackers to inject and execute arbitrary JavaScript code within MongoDB queries. This can lead to unauthorized access, modification, or deletion of sensitive data. The vulnerability impacts Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6, and a fix is available in version 8.9.5.
The primary impact of CVE-2025-23061 is the ability for an attacker to execute arbitrary JavaScript code within the MongoDB database server. This code can be used to bypass authentication mechanisms, read or modify sensitive data, or even gain complete control over the database server. The vulnerability is particularly concerning because it allows for remote code execution without requiring prior authentication, assuming the attacker can craft a malicious query. This is similar to the risks highlighted in CVE-2024-53900, which this vulnerability represents an incomplete fix for. The blast radius extends to any application using the vulnerable Mongoose driver to interact with a MongoDB database.
CVE-2025-23061 was disclosed on January 15, 2025. The vulnerability is considered high probability due to the ease of exploitation and the potential for significant impact. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of widespread exploitation. It is recommended to prioritize patching this vulnerability. This issue builds upon the findings of CVE-2024-53900, indicating a potential pattern of insufficient security measures in the Mongoose driver.
Applications utilizing the Mongoose driver to interact with MongoDB databases are at risk. This includes web applications, backend services, and any other Node.js applications relying on Mongoose for database access. Specifically, applications that dynamically construct MongoDB queries based on user input are particularly vulnerable.
• nodejs / server:
npm list mongoose• nodejs / server:
npm audit mongoose• nodejs / server:
Check application code for usage of the $where operator in MongoDB queries, especially with user-supplied input.
• nodejs / server:
Review MongoDB query logs for unusual JavaScript execution patterns or queries containing suspicious characters.
• nodejs / server:
Use a static analysis tool to scan codebase for potential vulnerabilities related to the $where operator.
disclosure
Statut de l'Exploit
EPSS
55.91% (percentile 98%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-23061 is to immediately upgrade to Mongoose version 8.9.5 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter input validation and sanitization on all user-supplied data used in MongoDB queries. Specifically, avoid using the $where operator whenever possible. If it's absolutely necessary, carefully review and validate any user-provided input used within the $where clause. Web application firewalls (WAFs) can be configured to detect and block malicious queries containing suspicious JavaScript code, but this is not a substitute for patching. There are no specific Sigma or YARA rules available at this time, but monitoring MongoDB query logs for unusual JavaScript execution patterns is recommended.
Mettez à jour la bibliothèque Mongoose à la version 8.9.5 ou supérieure. Cela corrige la vulnérabilité d'injection de recherche causée par l'utilisation incorrecte d'un filtre $where imbriqué avec une correspondance populate(). La mise à jour prévient les attaques potentielles par injection.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-23061 is a critical vulnerability in Mongoose versions before 8.9.5 that allows attackers to execute arbitrary JavaScript code within MongoDB queries due to improper handling of the $where operator.
You are affected if you are using Mongoose versions prior to 8.9.5, 7.8.4, or 6.13.6 and your application uses the $where operator in MongoDB queries.
Upgrade to Mongoose version 8.9.5 or later. If immediate upgrade is not possible, implement strict input validation and avoid using the $where operator.
While active exploitation is not yet confirmed, the vulnerability is considered high probability and public PoCs are likely to emerge, increasing the risk.
Refer to the Mongoose project's official security advisories and release notes on their GitHub repository: https://github.com/mongoosejs/mongoose
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.